The Devil in the Details

A week ago, the Justice Srikrishna Committee released a draft Personal Data Protection Bill and a Report to go with it. This is another step in the progress that has been made in the past year to create a data protection framework for India. It started with the Supreme Court judgement that recognised privacy as a fundamental right. This was followed by the constitution of the Justice Srikrishna Committee, the release of a White Paper, and public consultations on the recommendations made under it.

The Bill and the Report, which had been expected for the better part of six months, have already attracted a flurry of critical commentary. While there are elements of these documents which are welcome, there are also serious concerns that require further attention.

One of the positive aspects of the proposed law is its attention to detail. It is comprehensive and ticks most of the boxes that a data protection law ought to have. It vests individuals with certain rights with respect to their personal data, imposes obligations on entities that collect and process such data, and envisages a regulatory infrastructure that is supposed to facilitate the ecosystem within which data is collected, processed, and transferred. The Bill is also applicable to State entities, which is an upgrade over the status quo.